diff --git a/defaults/main.yml b/defaults/main.yml index 26a4133d..0397ace0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -279,8 +279,8 @@ cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("lvm") cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}' ## Policy vars -# Provide a list of access controls to update the default policy.json with. These changes will be merged -# with the access controls in the default policy.json. E.g. +# Provide a list of access controls to merge with the default +# access controls in the service code. #cinder_policy_overrides: # "volume:create": "" # "volume:delete": "" diff --git a/handlers/main.yml b/handlers/main.yml index 119927e6..9a05fbb6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -28,26 +28,6 @@ - "Restart cinder services" - "venv changed" -# Note (odyssey4me): -# The policy.json file is currently read continually by the services -# and is not only read on service start. We therefore cannot template -# directly to the file read by the service because the new policies -# may not be valid until the service restarts. This is particularly -# important during a major upgrade. We therefore only put the policy -# file in place after the service has been stopped. -# -- name: Copy new policy file into place - copy: - src: "/etc/cinder/policy.json-{{ cinder_venv_tag }}" - dest: "/etc/cinder/policy.json" - owner: "root" - group: "{{ cinder_system_group_name }}" - mode: "0640" - remote_src: yes - listen: - - "Restart cinder services" - - "venv changed" - - name: Start services service: name: "{{ item.service_name }}" diff --git a/tasks/cinder_install_source.yml b/tasks/cinder_install_source.yml index c392ba83..3b7e84f9 100644 --- a/tasks/cinder_install_source.yml +++ b/tasks/cinder_install_source.yml @@ -56,6 +56,12 @@ option: "venv_tag" value: "{{ cinder_venv_tag }}" +- name: Link in the os-brick rootwrap filters + file: + src: "{{ cinder_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters" + dest: /etc/cinder/rootwrap.d/os-brick.filters + state: link + - name: Copy cinder rootwrap filters command: >- rsync --archive --itemize-changes --delete diff --git a/tasks/cinder_post_install.yml b/tasks/cinder_post_install.yml index 08d9fdb0..2061ed80 100644 --- a/tasks/cinder_post_install.yml +++ b/tasks/cinder_post_install.yml @@ -13,6 +13,33 @@ # See the License for the specific language governing permissions and # limitations under the License. +# NOTE(cloudnull): This task is required to copy rootwrap filters that we need +# and cinder does not provide by default. +- name: Create aux cinder dir + file: + path: "/etc/cinder/rootwrap.d" + state: "directory" + owner: "root" + group: "root" + +- name: Generate cinder config + config_template: + src: "cinder.conf.j2" + dest: "/etc/cinder/cinder.conf" + owner: "root" + group: "{{ cinder_system_group_name }}" + mode: "0640" + config_overrides: "{{ cinder_cinder_conf_overrides }}" + config_type: "ini" + notify: + - Manage LB + - Restart cinder services + tags: + - cinder-config + - cinder-post-install + +# TODO(cloudnull): Once "master" OSA is using a recent pull for +# cinder this task and templte can be removed. - name: Copy cinder configs config_template: src: "{{ item.src }}" @@ -23,29 +50,71 @@ config_overrides: "{{ item.config_overrides }}" config_type: "{{ item.config_type }}" with_items: - - src: "cinder.conf.j2" - dest: "/etc/cinder/cinder.conf" - config_overrides: "{{ cinder_cinder_conf_overrides }}" - config_type: "ini" - - src: "api-paste.ini.j2" - dest: "/etc/cinder/api-paste.ini" - config_overrides: "{{ cinder_api_paste_ini_overrides }}" - config_type: "ini" - src: "resource_filters.json.j2" dest: "/etc/cinder/resource_filters.json" config_overrides: "{{ cinder_resource_filters_overrides }}" config_type: "json" - - src: "rootwrap.conf.j2" - dest: "/etc/cinder/rootwrap.conf" - config_overrides: "{{ cinder_rootwrap_conf_overrides }}" - config_type: "ini" - - src: "policy.json.j2" - dest: "/etc/cinder/policy.json-{{ cinder_venv_tag }}" - config_overrides: "{{ cinder_policy_overrides }}" - config_type: "json" notify: - Manage LB - Restart cinder services + tags: + - cinder-config + - cinder-post-install + +- name: Implement policy.json if there are overrides configured + copy: + content: "{{ cinder_policy_overrides | to_nice_json }}" + dest: "/etc/cinder/policy.json" + when: + - cinder_policy_overrides != {} + +# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source +# because we only want to copy the original files once. and we +# don't want to need multiple tasks. +- name: Preserve original configuration file(s) + command: "cp {{ item.target_f }} {{ item.target_f }}.original" + args: + creates: "{{ item.target_f }}.original" + with_items: "{{ cinder_core_files }}" + +- name: Fetch override files + fetch: + src: "{{ item.target_f }}.original" + dest: "{{ item.tmp_f }}" + flat: yes + changed_when: false + with_items: "{{ cinder_core_files }}" + run_once: true + +- name: Copy common config + config_template: + src: "{{ item.tmp_f }}" + dest: "{{ item.target_f }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default(cinder_system_group_name) }}" + mode: "{{ item.mode | default('0640') }}" + config_overrides: "{{ item.config_overrides }}" + config_type: "{{ item.config_type }}" + with_items: "{{ cinder_core_files }}" + notify: + - Restart cinder services + +- name: Cleanup fetched temp files + file: + path: "{{ item.tmp_f }}" + state: absent + changed_when: false + delegate_to: localhost + with_items: "{{ cinder_core_files }}" + +# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files. +- name: Set rootwrap.d permissions + file: + path: "/etc/cinder/rootwrap.d" + owner: "root" + group: "root" + mode: "0640" + recurse: true - name: Ensure cinder tgt include lineinfile: diff --git a/tasks/cinder_pre_install.yml b/tasks/cinder_pre_install.yml index b9d1ea8c..350e02e5 100644 --- a/tasks/cinder_pre_install.yml +++ b/tasks/cinder_pre_install.yml @@ -31,17 +31,62 @@ createhome: "yes" home: "{{ cinder_system_home_folder }}" +# NOTE(cloudnull): During an upgrade the local directory may exist on a source +# install. If the directory does exist it will need to be +# removed. This is required on source installs because the +# config directory is a link. +- name: Source config block + block: + - name: Stat config directory + stat: + path: "/etc/cinder" + register: cinder_conf_dir_stat + + - name: Remove the config directory + file: + path: "/etc/cinder" + state: absent + when: + - cinder_conf_dir_stat.stat.isdir is defined and + cinder_conf_dir_stat.stat.isdir + when: + - cinder_install_method == 'source' + - name: Create cinder dir file: - path: "{{ item.path }}" - state: directory - owner: "{{ item.owner|default(cinder_system_user_name) }}" - group: "{{ item.group|default(cinder_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + path: "{{ item.path | default(omit) }}" + src: "{{ item.src | default(omit) }}" + dest: "{{ item.dest | default(omit) }}" + state: "{{ item.state | default('directory') }}" + owner: "{{ item.owner | default(cinder_system_user_name) }}" + group: "{{ item.group | default(cinder_system_group_name) }}" + mode: "{{ item.mode | default(omit) }}" + force: "{{ item.force | default(omit) }}" + when: + - (item.condition | default(true)) | bool with_items: - - { path: "/openstack", mode: "0755", owner: "root", group: "root" } - - { path: "/var/cache/cinder", mode: "0700" } - - { path: "/etc/cinder", mode: "0750" } - - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" } - - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - - { path: "{{ cinder_system_home_folder }}" } + - path: "/openstack" + mode: "0755" + owner: "root" + group: "root" + - path: "/var/cache/cinder" + mode: "0700" + - path: "{{ (cinder_install_method == 'distro') | ternary('/etc/cinder', (cinder_bin | dirname) + '/etc/cinder') }}" + mode: "0755" + # NOTE(cloudnull): The "src" path is relative. This ensures all files remain + # within the host/container confines when connecting to + # them using the connection plugin or the root filesystem. + - dest: "/etc/cinder" + src: "{{ cinder_bin | dirname | regex_replace('^/', '../') }}/etc/cinder" + state: link + force: true + condition: "{{ cinder_install_method == 'source' }}" + - path: "/etc/cinder/rootwrap.d" + owner: "root" + group: "root" + mode: "0750" + - path: "/etc/sudoers.d" + mode: "0750" + owner: "root" + group: "root" + - path: "{{ cinder_system_home_folder }}" diff --git a/templates/api-paste.ini.j2 b/templates/api-paste.ini.j2 deleted file mode 100644 index cb783b8c..00000000 --- a/templates/api-paste.ini.j2 +++ /dev/null @@ -1,65 +0,0 @@ -############# -# OpenStack # -############# - -[composite:osapi_volume] -use = call:cinder.api:root_app_factory -/: apiversions -/v2: openstack_volume_api_v2 -/v3: openstack_volume_api_v3 - -[composite:openstack_volume_api_v2] -use = call:cinder.api.middleware.auth:pipeline_factory -noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2 -keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 -keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 - -[composite:openstack_volume_api_v3] -use = call:cinder.api.middleware.auth:pipeline_factory -noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3 -keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3 -keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3 - -[filter:request_id] -paste.filter_factory = oslo_middleware.request_id:RequestId.factory - -[filter:http_proxy_to_wsgi] -paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory - -[filter:cors] -paste.filter_factory = oslo_middleware.cors:filter_factory -oslo_config_project = cinder - -[filter:faultwrap] -paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory - -[filter:osprofiler] -paste.filter_factory = osprofiler.web:WsgiMiddleware.factory - -[filter:noauth] -paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory - -[filter:sizelimit] -paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory - -[app:apiv2] -paste.app_factory = cinder.api.v2.router:APIRouter.factory - -[app:apiv3] -paste.app_factory = cinder.api.v3.router:APIRouter.factory - -[pipeline:apiversions] -pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp - -[app:osvolumeversionapp] -paste.app_factory = cinder.api.versions:Versions.factory - -########## -# Shared # -########## - -[filter:keystonecontext] -paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory - -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 deleted file mode 100644 index c1f95d4d..00000000 --- a/templates/policy.json.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{ - - "consistencygroup:create" : "group:nobody", - "consistencygroup:delete": "group:nobody", - "consistencygroup:update": "group:nobody", - "consistencygroup:get": "group:nobody", - "consistencygroup:get_all": "group:nobody", - - "consistencygroup:create_cgsnapshot" : "group:nobody", - "consistencygroup:delete_cgsnapshot": "group:nobody", - "consistencygroup:get_cgsnapshot": "group:nobody", - "consistencygroup:get_all_cgsnapshots": "group:nobody" - -} diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2 deleted file mode 100644 index 54e8d284..00000000 --- a/templates/rootwrap.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# Configuration for cinder-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs={{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/usr/lpp/mmfs/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/vars/main.yml b/vars/main.yml index 443b555a..4b7dd4e4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,6 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +_cinder_rootwrap_conf_overrides: + DEFAULT: + filters_path: "/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap" + exec_dirs: "{{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin" + # # Compile a list of the services on a host based on whether # the host is in the host group and the service is enabled. @@ -29,3 +34,23 @@ filtered_cinder_services: |- {% endif %} {% endfor %} {{ services | sort(attribute='start_order') }} + +cinder_core_files: + - tmp_f: "/tmp/api-paste.ini" + target_f: "/etc/cinder/api-paste.ini" + config_overrides: "{{ cinder_api_paste_ini_overrides }}" + config_type: "ini" + - tmp_f: "/tmp/rootwrap.conf" + target_f: "/etc/cinder/rootwrap.conf" + config_overrides: "{{ _cinder_rootwrap_conf_overrides | combine(cinder_rootwrap_conf_overrides, recursive=True) }}" + config_type: "ini" + owner: "root" + group: "{{ cinder_system_group_name }}" + mode: "0640" + - tmp_f: "/tmp/resource_filters.json" + target_f: "/etc/cinder/resource_filters.json" + config_overrides: "{{ cinder_resource_filters_overrides }}" + config_type: "json" + owner: "root" + group: "{{ cinder_system_group_name }}" + mode: "0640"